Search code examples
javascriptsamlkeycloakmapper

Transforming LDAP group memberships to SAML Attributes in Keycloak

I need to transform the group memberships from an external LDAP directory into a SAML attribute within a SAML session using Keycloak. There will be an undefined number of group memberships for each user. The group name will have a tenant ID for Amazon AWS and the defined role for the user within Amazon (eg. AWS-11111111111-Administrator), so I am quite sure that the way has to be to use the JavaScript Mapper in the client configuration and do some substring modification.

  • Is there a way to test the Javascript somehow without having to try and error / login and check SAML session?
  • how do I get the Groups as String Values from the LDAP User in the Javascript Mapper in Keycloak?

Example for LDAP Groups (Muliple Groups per user)

AWS-11111111111-Administrator
AWS-11111111111-Contributer

SAML Attributes will have to look like:

arn:aws:iam::11111111111:saml-provider/ProviderName,arn:aws:iam::11111111111:role/Administrator
arn:aws:iam::11111111111:saml-provider/ProviderName,arn:aws:iam::11111111111:role/Contributer
Solution

  • I helped myself with this. The biggest part of the issue for me was the missing "test-button" to verify what the code is doing. Also, finding out that a simple Java Script Array is not iterated at the end (other than the Mouse-Over hints are saying).

    You need to keep in mind that this is the server-side Nashorn interpreter so it has not much to do with Javascript that usually runs in the browser... sorry for potentual inaccuracy within my question:

    /**


 * Available variables: 
 * user - the current user
 * realm - the current realm
 * clientSession - the current clientSession
 * userSession - the current userSession
 * keycloakSession - the current userSession
 */


//insert your code here...


// use the Identifier variable to filter the relevant groups for this client
var identifier = 'aws'; 

var StringArray = Java.type("java.lang.String[]");
var ArrayList = Java.type('java.util.ArrayList');

var GroupSet = user.getGroups();
var Output = new ArrayList();
var identifier = identifier.toLowerCase();

for each (var group in GroupSet) {
    if (group.getName().toLowerCase().contains(identifier)){
    var GroupNameArray = (group.getName().split('-'));
    var tenant = GroupNameArray[2];
    var role = GroupNameArray[3];
    Output.add("Arn:aws:iam::"+tenant+":saml-provider/company,arn:aws:iam::"+tenant+":role/"+role);
    }
}

Output;